Contents

Unlike most disk encryption software, GBDE does not attempt to defeat watermarking attacks through the use of disk encryption-specific modes of operation (see disk encryption theory), but instead generates a random key each time a sector is written.[2] Unlike some alternatives, such as CBC with sector-specific initialization vectors, this approach does not reveal any information to the attacker even if they have access to snapshots of the disk image from different points in time, since encryption keys are never re-used.

The one time sector key is encrypted using a pseudorandom key. This pseudorandom key is derived from the sector number and a static 2048-bit master key with 128 bits of salt. The pseudorandom number generator used for this purpose is called the Cherry Picker. This is not a well established PRNG, but rather one invented for GBDE. This generator may not meet the security levels of standard algorithms, and could be distinguishable from random numbers.[3]

Due to this unique approach, GBDE only supports 128-bit AES. Using a different key for each write also introduces a significant CPU overhead, as most block ciphers use key-specific precomputations, and makes disk updates non-atomic since the keys are written separately from the data. As a result, data loss can occur on unexpected power drops, even when used with journaling file systems. GBDE also has a disk space overhead of about 3% to store the per-sector keys.

To address these shortcomings, a more typical disk encryption solution for FreeBSD, GELI, was written later by Pawel Jakub Dawidek.